2 cissp ® Official Study Guide Eighth Edition

Determining and Diagramming Potential Attacks

Download 19,3 Mb.

Pdf ko'rish

bet	55/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 51 52 53 54 55 56 57 58 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Determining and Diagramming Potential Attacks
Once an understanding has been gained in regard to the threats facing your development
project or deployed infrastructure, the next step in threat modeling is to determine the
potential attack concepts that could be realized. This is often accomplished through the
creation of a diagram of the elements involved in a transaction along with indications of
data flow and privilege boundaries (Figure 1.8). This image is an example of a data flow
diagram that shows each major component of a system, the boundaries between security
zones, and the potential flow or movement of information and data. By crafting such a
diagram for each environment or system, it is possible to more closely examine each point
where a compromise could occur.
Such data flow diagrams are useful in gaining a better understanding of the relationships
of resources and movement of data through a visual representation. This process of dia-
gramming is also known as crafting an architecture diagram. The creation of the diagram
helps to detail the functions and purpose of each element of a business task, development pro-
cess, or work activity. It is important to include users, processors, applications, data-stores,
and all other essential elements needed to perform the specific task or operation. This is a
high-level overview and not a detailed evaluation of the coding logic. However, for more
complex systems, multiple diagrams may need to be created at various focus points and at
varying levels of detail magnification.

36
Chapter 1
■
Security Governance Through Principles and Policies
F I G u r e 1. 8
An example of diagramming to reveal threat concerns
Users
User / Web Server
Boundary
Web Server /
Database Boundary
Database
Files
Data
Data
Web Servlet
Authenticate User()
Authenticate
User SQL
Query
Authenticate
User SQL
Query Result
Pages
Web
Pages
Authenticate User
Result
Login Request
Login
Process
College
Library
Database
Login Response
Once a diagram has been crafted, identify all of the technologies involved. This would
include operating systems, applications (network service and client based), and protocols.
Be specific as to the version numbers and update/patch level in use.
Next, identify attacks that could be targeted at each element of the diagram. Keep in
mind that all forms of attacks should be considered, including logical/technical, physi-
cal, and social. For example, be sure to include spoofing, tampering, and social engineer-
ing. This process will quickly lead you into the next phase of threat modeling: reduction
analysis.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 51 52 53 54 55 56 57 58 ... 881